Computer Hope
Software => Computer viruses and spyware => Topic started by: Zebar on July 03, 2005, 10:23:21 AM
-
Hi, newbie here - hope you can help. My PC has suddenly and for no apparent reason decided to slow down to a near crawl. I have tried a system restore - no good. I have tried defragmenting - got to 3% after 36 hours so I stopped it. I ran Spybot - it found some bogeys - but would not fix thme - said some dll file was missing? Now i cannot even start it up. It gets as far as my wallpaper and the start button and thats it - after about 8 hours. I'm assuming this is malware-related but i really don't know. Any help would be much appreciated.
-
Well, if you can not start the computer, then your best thought would be to reformat....
[glb]Flame[/glb]
-
Yeah - but i was hoping to avoid this in order to avoid losing all the data. The problem seems to be progressive - at first it was slow to boot up, but did and I was able to connect to the Internet, now it is just freezing.
-
Have tried safe mode? Run spybot and your AV from there.
-
Do you have a CD burner? You can save all your data to a CD in safe mode and then erase if you can not fix it...
[glb]Flame[/glb]
-
Thanks - Gonna try that when I get home - wasnt sure whether spybot would work in safe mode. I know its hard to tell but is it possible it's a hardware problem? thats another reason I don't want to reformat - I'd hate to erase all taht data and then find out it's the CPU or something.
-
Yeah - i have a CD burner. Thanks I'll try this.
-
Actually, many people do not know this, but you SHOULD run system restores, etc. in safe mode for the best results... Suprising eh? Give us a shout when you get a chance to try these suggestions...
[glb]Flame[/glb]
-
AVG Free (http://free.grisoft.com/doc/1)
-- Anti virus scanner
Adaware SE Personal (http://www.lavasoftusa.com/software/adaware/)
-- Anti spyware scanner
Microsoft Antispyware (http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en)
-- Anti spyware scanner. Windows XP Home and Professional only.
Spybot Search & Destroy (http://www.safer-networking.org/en/mirrors/index.html)
-- Anti spyware scanner
ZoneAlarm Free (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp)
-- Free firewall - more user friendly
Sygate Personal (http://smb.sygate.com/products/spf_standard.htm)
-- Free firewall - more configuration options
Download, install and configure these programs. Apply them in safe mode.
-
Have most of those on the PC.
Tried running Spybot in safe mode. Safe Mode took about 20 minutes to boot up. Spybot ran ok and found a number of problems - however, when I tried to fix the problems it came up with various errors. One said a dll file was not a valid windows image. Another said a dll file (wbtengine.dll) could not be found.
-
You should use a registry cleaner first.
-
Where will i get a registry cleaner? I can't connect to the Internet in Safe mode. When I try to boot up normally it just freezes.
-
If you are using Windows XP, you should select safe mode with Network support
Or copy the data onto a medium.
Easy Cleaners (http://personal.inet.fi/business/toniarts/ecleane.htm)
-- Freeware registry scanner
Registrar Lite (http://www.resplendence.com/reglite)
-- Excellent replacement for Windows Regedit
Crap Cleaner (http://www.ccleaner.com/)
-- Freeware registry scanner/history cleaner
(Does anyone have any recommendations?)
-
I recommend that we first try and figure out what the OS is. It's a waste of time trying to clean it up while restore is running.
-
HJT LOG
Part 1:
Logfile of HijackThis v1.99.1
Scan saved at 17:45:38, on 08/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\OpenOffice.org1.1.0\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin Shaw\Desktop\HJT\hijackthis1991.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk
R3 - URLSearchHook: (no name) - {34A44FCF-50E3-63A5-A8DA-7835752B9571} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OpenOffice.org 1.1.0.lnk = C:\Program Files\OpenOffice.org1.1.0\program\quickstart.exe
O4 - Global Startup: Image Transfer.lnk = ?
-
Part 2:
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball/miniclipGameLoader.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...3/OCI/setup.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
-
Colin i would download spysweeper from webroot.com
And my two cents worth i would disable system restore completly and remote access.....and a bunch of other stuff... software cures software....
-
Zebar...... Well , I just had a look at your hijackthis log ....and it does contain some spyware ,which may be the source of your issues ........
I would do the following .......
1..... Turn off the system restore feature.
2..... Reboot into SAFE Mode ......
3...... open your TASK Manager .... ( Ctrl/Alt/Del )
click on the processes tab ...........
4......Look for .... ViewMgr.exe ( if its listed ...hi-lite it and click END Now )
5......open your hijackthis log and mark for removal the following ..........
R3 - URLSearchHook: (no name) - {34A44FCF-50E3-63A5-A8DA-7835752B9571} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaengine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Now click fix marked .......
Now reboot and see how things are ......
Run hijackthis again and post the new log ......
Hopefully things will be ok ...
I would rescan with your AV again and Ad-aware and also Spybot ......
Then if its clean ......Turn on the system restore feature .
cheers
dl65 ::)